Revert change 438035 is_admin_project default

This change reverts having is_admin_project default to False [0] since we currently need to have it revert to True in order to account for anyone who has not configured an admin project. This will be truely fixed at a later date. This also adds comments from another change [1] which clarifies the for why this should not be changed at this moment. [0] https://review.openstack.org/#/c/438035/ [1] https://review.openstack.org/#/c/257636/ Partial-Bug: 968696 Change-Id: I039bfc8a41d43634ebad545725b9188a82afb990 Co-Authored-By: Adam Young <ayoung@redhat.com> Co-Authored-By: Matthew Edmonds <edmondsw@us.ibm.com>
2017-05-11 10:34:26 -04:00 · 2017-05-11 10:34:26 -04:00 · 4a82ab9065
commit 4a82ab9065
parent 6e00d3c94d
2 changed files with 9 additions and 4 deletions
--- a/keystone/models/token_model.py
+++ b/keystone/models/token_model.py
@ -192,10 +192,15 @@ class KeystoneToken(dict):

    @property
    def is_admin_project(self):
+        # Prevent domain scoped tokens from acting as is_admin_project
        if self.domain_scoped:
-            # Currently, domain scoped tokens cannot act as is_admin_project
            return False
-        return self.get('is_admin_project', False)
+        # TODO(ayoung/edmondsw): Having is_admin_project default to True is
+        # essential for fixing bug #968696. If an admin project is not
+        # configured, we can add checks for is_admin_project:True and not
+        # block anyone that hasn't configured an admin_project. Do not change
+        # this until we can assume admin_project is actually set
+        return self.get('is_admin_project', True)

    @property
    def trust_id(self):
--- a/keystone/tests/unit/token/test_token_model.py
+++ b/keystone/tests/unit/token/test_token_model.py
@ -87,8 +87,8 @@ class TestKeystoneTokenModel(core.TestCase):
        self.assertTrue(token_data.scoped)
        self.assertTrue(token_data.trust_scoped)

-        # by default admin project is False for project scoped tokens
-        self.assertFalse(token_data.is_admin_project)
+        # by default admin project is True for project scoped tokens
+        self.assertTrue(token_data.is_admin_project)

        self.assertEqual(
            [r['id'] for r in self.v3_sample_token['token']['roles']],